Anyways, I need him to be able to update all the users in AD with their correct information like location, manager, phone numbers, etc. and my memory is killing me lately. How do I grant him access to do this again without giving him Domain Admin?

Look at the right click properties->security tab->advanced security of a user account underneath the OU you delegated access to. You should see additional access control entries for the user you have delegated control to that show up as inherited.

You can edit these permissions in the same place at the level where you created them.

Hey If you want you can use our third party application for the same. This will allow all the user to update there information on there own moreover they can reset there password and account by themselves.

It works really well. Allows to update all user attributes as well as manage distribution groups (create new, add/remove members etc). All self-service. And I think it works without any tweaks to AD delegation settings.

0

This topic has been locked by an administrator and is no longer open for commenting.